WISP Generator
The FTC Safeguards Rule (16 CFR Part 314) requires every covered "financial institution" — including CPA firms preparing tax returns, RIAs, mortgage brokers, and many others — to maintain a comprehensive Written Information Security Program. The WISP is the backbone document: it names your Qualified Individual, documents your risk assessment, and describes every safeguard from access controls and MFA to encryption, monitoring, vendor oversight, incident response, and board reporting. This free interactive generator turns a blank page into a structured, citation-mapped WISP draft. Enter your firm details, toggle the safeguards you have in place, watch the document build live, and download it as a .txt — all entirely in your browser, with nothing sent to any server. Any safeguard you leave off is flagged as a gap with a remediation note, so your draft doubles as a punch list. It is a starting-point template, not legal advice — have counsel and your Qualified Individual review it before adoption.
Generate Your Written Information Security Program
Fill in your firm details and toggle the safeguards you have in place. The tool builds a structured WISP draft mapped to 16 CFR § 314.4, live, in your browser. Nothing is sent to any server. Download it as a .txt file when you are done.
Not legal advice. This is a starting-point template, not a finished compliance program. Have qualified counsel and your Qualified Individual review and tailor it to your organization before adoption.
Toggle the safeguards your firm currently has. Anything you leave off is written into the WISP as a flagged GAP with a remediation note.
WRITTEN INFORMATION SECURITY PROGRAM (WISP)
[COMPANY LEGAL NAME]
Prepared pursuant to the FTC Safeguards Rule, 16 CFR Part 314
Effective Date: June 6, 2026
================================================================
DISCLAIMER
This document is a starting-point template generated automatically. It is
NOT legal advice and is NOT a substitute for review by qualified counsel.
Have your attorney and your Qualified Individual review and tailor this WISP
to your organization before adoption.
1. PURPOSE & SCOPE
This Written Information Security Program ("WISP") documents the administrative,
technical, and physical safeguards that [COMPANY LEGAL NAME] ("the Company") has implemented
to protect the security, confidentiality, and integrity of customer information,
as required by the FTC Safeguards Rule (16 CFR Part 314). It is reasonably
designed for the size and complexity of the Company, the nature and scope of its
activities, and the sensitivity of the customer information at issue.
Business description: [Describe the nature, size, and complexity of the business and its activities.]
Customer information handled: [List the types of customer information handled — e.g., names, SSNs, financial account numbers, tax records, payment card data.]
Where customer information is stored: [Describe where customer information is stored — on-premises servers, cloud (e.g., Azure/AWS), and SaaS applications.]
2. DESIGNATION OF QUALIFIED INDIVIDUAL [§ 314.4(a)]
The Company designates [QUALIFIED INDIVIDUAL NAME] ([TITLE]) as the Qualified Individual responsible
for overseeing, implementing, and enforcing this information security program.
The Qualified Individual may delegate tasks but retains responsibility for the
program and reports to the Company's governing body as set out in Section 14.
3. RISK ASSESSMENT [§ 314.4(b)]
The Company performs and periodically updates a written risk assessment that
identifies reasonably foreseeable internal and external risks to the security,
confidentiality, and integrity of customer information that could result in
unauthorized disclosure, misuse, alteration, destruction, or other compromise.
The risk assessment includes criteria for evaluating and categorizing those
risks, criteria for assessing the adequacy of safeguards, and a description of
how identified risks will be mitigated or accepted. The safeguards in Section 4
are designed to address the risks identified.
4. SAFEGUARDS [§ 314.4(c)]
Based on the risk assessment, the Company implements and periodically reviews
the following safeguards to control the identified risks:
4.1 Access Controls
GAP: Formal access controls and a least-privilege model have not yet been fully implemented. The Company will deploy role-based access controls and periodic access reviews. Privileged Access Management (PAM) is recommended to satisfy this requirement. [§ 314.4(c)(1)]
GAP: Multi-factor authentication is not yet enforced on all systems holding customer information. The Company will deploy MFA across all such systems as a priority remediation item. [§ 314.4(c)(5)]
4.2 Data Inventory & Classification
GAP: A complete inventory of data, devices, systems, and facilities handling customer information has not been established. The Company will build and maintain this inventory. [§ 314.4(c)(2)]
4.3 Encryption
GAP: Encryption of customer information at rest has not been fully implemented. The Company will encrypt customer information at rest or document Qualified-Individual-approved compensating controls. [§ 314.4(c)(3)]
GAP: Encryption of customer information in transit over external networks has not been fully implemented. The Company will enforce transport encryption (e.g., TLS) for all such transmissions. [§ 314.4(c)(3)]
4.4 Secure Development
GAP: Formal secure development practices and procedures for evaluating externally developed applications have not been documented. The Company will establish these procedures. [§ 314.4(c)(7)]
4.5 Change Management
GAP: Formal change management procedures have not been documented. The Company will adopt change management procedures; PAM-based application allowlisting is recommended to satisfy execution control. [§ 314.4(c)(7)]
4.6 Secure Disposal
GAP: Documented secure disposal procedures and a periodic data minimization review have not been established. The Company will document and implement secure disposal procedures. [§ 314.4(c)(6)]
4.7 Monitoring & Logging
GAP: Centralized logging and monitoring of authorized user activity has not been fully implemented. The Company will deploy logging and monitoring with unauthorized-access detection. [§ 314.4(c)(8)]
5. CONTINUOUS MONITORING OR PENETRATION TESTING & VULNERABILITY ASSESSMENT [§ 314.4(d)]
GAP: The Company has not established continuous monitoring or the alternative of annual penetration testing plus biannual vulnerability assessments. The Company will implement one of these approaches.
6. SERVICE PROVIDER OVERSIGHT [§ 314.4(f)]
GAP: Formal service provider due diligence, contractual safeguard requirements, and periodic reassessment have not been established. The Company will implement a vendor oversight program.
7. INCIDENT RESPONSE PLAN [§ 314.4(h)]
GAP: A written incident response plan has not been established. The Company will author an incident response plan addressing roles, communications, remediation, documentation, and FTC notification obligations.
8. TRAINING & PERSONNEL [§ 314.4(e)]
GAP: A formal security awareness training program has not been established. The Company will implement recurring training updated to reflect identified risks.
9. PROGRAM EVALUATION & REVISION [§ 314.4(g)]
The Company evaluates and adjusts this information security program in light of
the results of testing and monitoring, material changes to operations or
business arrangements, the results of risk assessments, and any other
circumstances that the Qualified Individual knows or has reason to know may have
a material impact on the program. This WISP is reviewed at least annually.
10. REPORTING TO THE BOARD [§ 314.4(i)]
The Qualified Individual reports in writing, at least annually, to the Company's
board of directors or equivalent governing body (or, if none, to a senior
officer responsible for the Company's information security program). The report
addresses the overall status of the program and the Company's compliance with
the Safeguards Rule, and material matters related to the program, including
risk assessment results, risk management and control decisions, service provider
arrangements, testing results, security events and management's responses, and
recommendations for changes to the program.
================================================================
Generated by the LayerLogix WISP Generator — https://layerlogix.com
LayerLogix is a Texas MSP (HQ: The Woodlands, TX) delivering FTC Safeguards
Rule managed compliance, vCISO / Qualified Individual services, and Privileged
Access Management. Call 888-792-8080.
This template is not legal advice. Have counsel and your Qualified Individual
review and tailor it before adoption.
100% browser-only. Nothing you type is sent to any server, logged, or stored.
What We Offer
Comprehensive solutions tailored for Houston-area businesses
Maps to 16 CFR § 314.4
Every section of the generated WISP is mapped to a Safeguards Rule citation — Qualified Individual, risk assessment, access controls, encryption, secure development, change management, monitoring, service provider oversight, incident response, training, and board reporting.
Guided Inputs
Plain-language fields for company name, your designated Qualified Individual, business description, types of customer information handled, and where data lives — on-prem, cloud, or SaaS.
Toggle Your Safeguards
Flip on the controls you already have — MFA, encryption at rest and in transit, asset inventory, vendor oversight, training, incident response, monitoring, secure disposal, change management, and continuous monitoring or penetration testing.
Honest Gap Flagging
Any safeguard you leave off is written into the WISP as a clearly labeled GAP with a remediation note — so the document doubles as a punch list, not a checkbox you can fake.
Live Document Preview
Watch the structured WISP build itself as you type. What you see in the preview pane is exactly what downloads.
Download as .txt
One click exports the full WISP draft client-side via Blob. Bring it to your Qualified Individual, your CPA peer review, or your cyber insurance renewal.
Why Choose LayerLogix?
Serving businesses throughout the Greater Houston area including Houston, The Woodlands, Sugar Land, Dallas, Fort Worth, Austin, San Antonio.
A Required Document, Started in Minutes
A WISP is the backbone document the Safeguards Rule expects. This tool turns a blank page into a structured, citation-mapped draft in minutes instead of weeks.
Built as a Punch List
Because gaps are flagged in-line, your draft WISP doubles as a remediation roadmap your Qualified Individual can work through control by control.
Cyber Insurance & Peer-Review Ready
A documented WISP is one of the first artifacts underwriters and CPA peer reviewers ask for. Having a real one shortens those conversations.
No Email Gate
No signup, no email, no upsell on the tool itself. We earn the conversation by giving away the tool — the WISP stays on your device.
100% Browser-Only
Nothing you type is sent to LayerLogix servers, logged, or stored. The entire document is generated client-side in your browser.
Our Process
Frequently Asked Questions
What is a WISP and does the FTC Safeguards Rule require one?▼
Is the generated WISP legal advice or a finished compliance program?▼
Is my company subject to the FTC Safeguards Rule?▼
What does "designated Qualified Individual" mean, and can it be outsourced?▼
What happens to the safeguards I leave unchecked?▼
Is anything I type sent to LayerLogix?▼
Do you provide WISP Generator in Houston and nearby areas?▼
What does WISP Generator cost for a Houston business?▼
Ready to Get Started?
Contact LayerLogix today for a free consultation. We serve businesses throughout Houston, The Woodlands, Sugar Land, and the surrounding Greater Houston area.