L&P Aesthetics Medical, Inc. Written Information Security Policy (WISP)
Last updated August 10, 2024
1. Introduction
This Written Information Security Policy (WISP) establishes guidelines and procedures for safeguarding sensitive information at L&P Aesthetics Medical, Inc. (“the Company”), a plastic surgery and med spa based in Palo Alto, California. This policy is designed to protect the confidentiality, integrity, and availability of sensitive information, including Protected Health Information (PHI) and Personally Identifiable Information (PII).
2. Scope
This policy applies to all employees, contractors, temporary workers, and third-party service providers who have access to sensitive information maintained by the Company. It covers all forms of sensitive information, whether electronic or physical, at rest or in transit.
3. Information Security Officer
The Company shall designate an Information Security Officer (ISO) responsible for implementing, maintaining, and enforcing this policy. The ISO will report directly to senior management and will be responsible for:
- Developing and updating information security policies and procedures
- Conducting regular risk assessments
- Overseeing employee training on information security
- Responding to security incidents
- Ensuring compliance with relevant laws and regulations
4. Risk Assessment
The Company shall conduct annual risk assessments to identify potential threats to sensitive information. These assessments will:
- Inventory all systems and applications that process or store sensitive information
- Identify potential vulnerabilities in these systems
- Assess the likelihood and potential impact of security breaches
- Recommend and prioritize security controls to mitigate identified risks
5. Access Control
Access to sensitive information shall be restricted to authorized individuals on a need-to-know basis. The following controls shall be implemented:
- Unique user IDs for each employee
- Strong password requirements (minimum 12 characters, complexity rules)
- Multi-factor authentication for remote access and privileged accounts
- Regular review and update of access rights
- Immediate revocation of access upon termination or change of role
- Logging and monitoring of access attempts
6. Data Classification
All data shall be classified according to its sensitivity:
- Public: Information that can be freely shared
- Internal: Non-sensitive information for internal use only
- Confidential: Sensitive information that requires protection
- Restricted: Highly sensitive information (e.g., PHI, financial data)
Access and handling procedures shall be based on these classifications.
7. Data Encryption
All sensitive data shall be encrypted:
- At rest: Using AES-256 bit encryption
- In transit: Using TLS 1.2 or higher for network communications
- On mobile devices: Full-disk encryption for laptops and mobile devices
Encryption keys shall be securely managed and rotated regularly.
8. Physical Security
Physical access to areas where sensitive information is stored or processed shall be restricted:
- Keycard access to office areas
- Visitor logs and escort requirements
- Secure storage for physical documents (locked file cabinets, safes)
- Clean desk policy
- Proper disposal of physical documents (cross-cut shredding)
9. Network Security
The Company’s network shall be protected by:
- Next-generation firewalls with intrusion detection/prevention systems
- Regular security patch management
- Network segmentation to isolate sensitive systems
- Virtual Private Network (VPN) for remote access
- Wi-Fi networks secured with WPA3 encryption
10. Endpoint Security
All endpoints (computers, mobile devices) shall be protected by:
- Endpoint Detection and Response (EDR) software
- Regular software updates and patch management
- Mobile Device Management (MDM) for company-owned mobile devices
- Prohibition of personal devices for accessing sensitive information
11. Third-Party Risk Management
All third-party service providers with access to sensitive information shall be subject to:
- Due diligence before engagement
- Contractual obligations to maintain appropriate security measures
- Regular security assessments
- Limited access to only necessary information
12. Incident Response Plan
The Company shall maintain an Incident Response Plan that includes:
- Procedures for detecting, reporting, and containing security incidents
- Roles and responsibilities of the incident response team
- Communication protocols for notifying affected parties and authorities
- Steps for preserving evidence and conducting post-incident analysis
13. Business Continuity and Disaster Recovery
The Company shall maintain and regularly test plans for:
- Backing up sensitive information (daily incremental, weekly full backups)
- Storing backups securely off-site
- Restoring systems and data in case of disaster
- Maintaining operations during extended outages
14. Employee Training and Awareness
All employees shall receive regular security awareness training, including:
- Annual comprehensive security training
- Quarterly phishing simulations
- Regular security bulletins and updates
15. Compliance and Auditing
The Company shall:
- Conduct annual internal audits of security controls
- Engage third-party auditors for biennial comprehensive security audits
- Maintain compliance with relevant regulations (e.g., HIPAA, CCPA)
- Keep detailed logs of all security-related activities
16. Policy Review and Updates
This WISP shall be reviewed and updated annually or whenever there are significant changes to the Company’s operations or the threat landscape.
17. Enforcement
Violations of this policy may result in disciplinary action, up to and including termination of employment or contract. Serious violations may also result in legal action.
By implementing and adhering to this Written Information Security Policy, L&P Aesthetics Medical, Inc. demonstrates its commitment to protecting sensitive information and maintaining the trust of its patients and partners.
