Frequently Asked Questions
Cybersecurity compliance and the variety of laws and industry regulations can be quite confusing. If you are unable to find an answer to your question in the following FAQs, please contact us and we will respond as soon as we can.
+ What is the difference between the Digital Security Program (DSP) and the Written Information Security Program (WISP)?
Great question! We put together an entire page to help discuss those differences - https://www.complianceforge.com/dsp-vs-wisp
There are three competing frameworks for what really define "best practices" within cybersecurity - (1) National Institute of Standards and Technology (NIST) 800-53, (2) NIST Cybersecurity Framework and (3) International Standards Organization (ISO) 27002.
Based upon our experience, NIST 800-53 (revision 4) is the most comprehensive framework for building an information security program and it is the source of best practice for US government agencies. Given that, companies that are heavily involved in government contracting tend to go NIST. However, most non-government organizations prefer the ISO 27002 (2013 version) framework, since it is a more recognized international standard. It really comes down to personal preferences for how the standards are arranged and the level of detail - think along the lines of the old "Coke vs. Pepsi" argument, where a lot of it comes down to personal preferences for which framework is preferred.
Standards are standards for a reason. If you "save money" on a lesser solution, you simply get what you pay for by getting a lesser solution that likely is not build upon an industry-recognized best practice. This all affects your company's ability to prove due care and due diligence by following what is reasonably expected for managing your IT security program.
Our goal is to provide a solution that meets what businesses face today and what they can expect to face in the future. We do not offer “bronze, silver or gold” packages like some competitors offer - we know the industry-recognized best practices and we created solution that meets our client’s business compliance requirements.
+ How are the Digital Security Program (DSP) and Written Information Security Program (WISP) a "customized" set of policies?
Based on our extensive experience consulting with businesses on Information Security projects and documentation, we developed a very robust template of policies, procedures, standards, and guidelines that businesses require to meet compliance requirements. Since most compliance requirements are based on industry-recognized “best practices” and that standards are openly published, we were able to develop a modular approach to policies and create a customized template framework. This allows us to efficiently customize the policies for our clients.
Our solution is approximately 1/10th the cost of hiring a dedicated Information Security consultant to write policies for your company. The irony is that those Information Security consultants use the same basis of working off templates for their clients. The end result is the same that you get customized Information Security policies for an extremely affordable cost.
+ What expertise is relied upon for the Digital Security Program (DSP), Written Information Security Program (WISP) & PCI DSS Policy documents?
Our products have been thoroughly peer-reviewed from members of the the IT, Information Security, Physical Security, and Legal professions for a very well-rounded and professional product. The lead author is a Certified Information Systems Security Professional (CISSP), Microsoft Certified Systems Engineer (MCSE), MBA, and former military officer with over 15 years of Information Security experience.
CISSPs must follow a strict code of ethics from the (ISC)2:
- Protect society, the commonwealth, and the infrastructure
- Act honorably, honestly, justly, responsibly, and legally
- Provide diligent and competent service to principals
- Advance and protect the profession
A single negligent breach can close your business forever, because liability insurance will not cover professional negligence. Without the ability to prove steps are taken to ensure due care and due diligence are applied to your business operations, you may be considered negligible in a lawsuit. Additionally, it is a tool employers can use to enforce proper conduct by employees.
Information Security policies form the foundation for your organization's attitudes and actions towards protecting the confidentiality, integrity and availability of your data. This is immensely important in terms of not only keeping you in business from being able to function, but it also puts safeguards in place to reduce your liabilities from the actions your employees either do or fail to do.
We also put together more information here to help explain the differences - https://www.complianceforge.com/dsp-vs-wisp
+ How is your policy manual different from the free templates I can find on the Internet?
The WISP and DSP are customized specifically for your company, as if you employed an Information Security professional to write a set of policies for your company in-house. With a lot of template sites, options are given to pick and choose policies. Realistically, unless you are trained in Information Security and legitimately know what components are required to meet compliance minimums with a law or regulation, you are assuming a significant liability. Without expertise, it is a situation of “the blind leading the blind” in selecting and implementing policies.
+ Why don’t I save money and create my own policies?
It took well over 400 hours to develop the Information Security policies, standards, procedures and guidelines in the WISP. Even if you do it in 1/4 of the time, how much did that cost you when you could have been doing other things? For what we charge for our products, it is a fantastic deal - it is as simple as that!
The expertise that has been drawn upon to develop the WISP covers over three decades of experience in mitigating risk for technical, operational, and physical threats. You are buying expertise. With a lot of lesser options on the Internet, you get what you pay for - it is as simple as that. When it comes to the liability facing your company, it would be careless to rely on amateur solutions. You use a CPA for your finances. You see a doctor for your medical care. Why would you rely on an amateur solution for your Information Security needs?
+ How can I justify the price?
The WISP and DSP are a fraction of the cost for a comparable product produced from an on-site consultant. The cost for a WISP through ComplianceForge.com is approximately 1/10th the expense of hiring an Information Security consultant to custom-build the same policies, procedures, standards, and guidelines you can buy through our website.
In comparison, the Written Information Security Program (WISP) is less expensive than the following:
- Average business-class router
- 3 hours of a security consultant’s time (estimate 40-80 hours for an on-site solution)
- 2 hours of a lawyer’s time to assist in a disciplinary action when an employee counters that he/she was never informed of any restrictions or prohibitions that would lead to employee termination or discipline
- Cleanup following a malware infection (2-5 hours of IT support costs)
- Loss of business prestige from being compromised
- The thoroughness of the WISP for its cost is currently without rival. We know the competition and we can confidently make that claim.
+ What forms of payment do you accept?
All major forms of credit and debit card are accepted. We can also take offline orders through invoicing. ComplianceForge.com does not have access to or retain your credit card information - all credit card transactions are processed directly by a secure processor that is PCI DSS compliant.
+ Will the WISP or DSP have your logo or mine?
If you have a logo, have it ready at the time of purchase since you will be prompted to upload it. The cover page of the WISP will have your company's logo prominently displayed. The rest of the document will have your company name throughout, so anyone reading the document will get the feel the WISP was custom created and tailored to your company.
+ What if I do not have a logo?
Not a problem - you can have the WISP or PCI DSS Policy made without a logo if you do not currently have one or if you wish to leave the logo off the cover page. Regardless if you have a logo or not, your company’s name will be embedded throughout the WISP. The WISP will still look very professional, even without your logo on the front page.
+ What do I need to provide?
We would like to have a high-resolution company logo file (JPG, GIF or BMP), but we do need your company’s official name and your company’s common name. You will be prompted to upload this information prior to payment.
Examples of "official" and "common" names for businesses: Official Name (Common Name)
- Beaverton Metropolitan Chamber of Commerce (Beaverton Chamber)
- City of Beaver Springs (COBS)
- Sonoma Technology Consulting, LLC (SonomaTech)
- BlackHat Consultants, LLC (BlackHat)
+ Can I get additional customization?
Yes. There is added cost involved due to labor incurred, but we can customize to meet your specific requirements.
+What is ComplianceForge.com?
We are a niche cybersecurity consulting business. We've been focused on providing IT security consulting and documentation since 2005.
+ Is this software or a subscription service?
Neither. The Written Information Security Program (WISP) is a one-time purchase and no software needs to be installed. The WISP is delivered via e-mail as a Microsoft Word attachment. You can e-mail it to your users, post it to a file share, or print it out for users to read - you have the flexibility to deploy it as it best suits you.
+ How quickly can I receive my order?
Turn around time is generally the same business day, but we give a buffer of 1-2 business days. Upon completing the online transaction, you will receive a confirmation e-mail. The completed product will be delivered to the e-mail address used to register at the time of purchase.
+ As an IT consultant, can I custom-brand policies for my customer as a reseller?
Yes. We offer a Value Added Reseller (VAR) program for IT consultants. Please contact us and we can get the process implemented within a few business days.
+ What is the refund policy?
Due to the Intellectual Property (IP) nature of the Information Security products and services offered by ComplianceForge.com, we do not offer refunds once the product has been delivered to a client. ComplianceForge.com stands behind its products and services. The primary author is a CISSP, MCITP, MCSE, CRISC, MBA and former military officer, so the quality of the work is equivalent to what is found in a Fortune 500 (enterprise-class) environment. The solutions provided by ComplianceForges are based on industry-recognized best practices and standards - with many satisfied clients from around the country.