Its no secret that the IT industry is very unregulated and in so many ways, I am thankful that it's not however it does present some interesting dilemma that other service based industries do not often see. For example, just about anyone can say "I'm an IT professional" or "My cousin's son is a wiz with computers", etc. There is a huge difference between someone who can upgrade a stick of RAM in a computer versus someone who has been in the IT industry for 30 years. Not to say there is anything wrong with people who can upgrade a stick of RAM because we all, even IT professionals with 30 years of experience, started at the same place. However, companies like ours, get to spend the other aspects of our business developing documentation and policies that our clients can use which most people starting out in IT don't really have a good knowledge or understanding of yet.
A prime example of that is something that we've been working on for our CPA and book keeping professionals which is a Written Information Security Plan. This is a relatively new law that was passed via the Gramm-Leach-Bliley Act or GLBA for short which has prompted the FTC to provision new Safeguard measures that apply directly to CPA firms, tax professionals, and book keepers however it also applies to mortgage brokers, real estate appraisers, universities, and a host of other business types.
While our business model addresses all of the concerns of the FTC Safeguard provisions, the WISP document details what the responsibilities are of the business themselves versus what can be implemented technology wise. Cyber security has always been part management, part technology solutions. The document itself also checks the box for the FTC Safeguard provision to have a written WISP on hand.
This is the fun, and I use that term very sarcastically, things we get to work on in the often mystical side of IT. However, it is a very necessary side of IT that we keep our clients covered and protected from outside, inside and regulation risk.